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Traditional World 


Each app team 
builds their 
own image 


(CentOS v1, v2, 
v3) 


Deploy application 
(1, 2, 3) 


PenTest report to Dev 

(t0+1Mo) 

«Dev team dealing with out 
of date findings 

«Not machine readable 

*Repeated work across 
apps 1, 2, 3 (OS level vulns) 

* Not doing it often enough 
due to cost, efficient 
reasons 


Inefficiencies, 
slows things down, 
no standardization 
across teams, 
repetition in 
security workflows 


Scan in production 
(VM, WAS, PC etc.) 


*Findings for app 1,2,3 


«Separate patching 
workflows for running 
production workloads 
(v1, v2, v3 
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The Driver: Scale, Elasticity & DevOps 


Pipeline 
aWS 
ree”) 


container E) E) cri-o 
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Can Security 


Teams do 
Better? 


Shifting Security to the Left 


e Developers and security teams must think about 
security, sooner 


e Get security tools into the process earlier 
e Automate! Leverage API's, Cl plugins 
e Golden images 


e Scan in the Cl pipeline 
Vulnerability gates in the pipeline 
Vulnerability information at the fingertips of Dev 
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The New Role of the Security Team 


e Must not be a roadblock 


e Provide security tooling that is self-service for DevOps, 
Dev 
e CI Plugins 
e APIs 
e Scripting 
e Verify and audit the process 
e Dashboards/live data 
* Trending 
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Shift Left with Qualys! 


Build base 
hardened 
OS Golden 
Image (to 
be used by 
multiple 
teams) 


CI/CD Scan 


«Jenkins VM 
«Jenkins PC 


Rebuild 
with fixes 
from 
issues 
identified 
from 
staging 


CI/CD Scan + 
Gate 


«Jenkins VM 
«Jenkins PC 


Golden Image 


Dev teams 
use 
Golden 
Image and 
build app 
on top 


CI/CD Scan 
«Jenkins VM 
«Jenkins WAS 
«Jenkins PC 


Build/Load Application 


Rebuild 
with fixes 
from 
issues 
identified 
from 
staging 


CI/CD Scan + 
Gate 
«Jenkins VM 
«Jenkins WAS 
«Jenkins PC 


Deploy 


e Qualys VM, 
WAS, PC 
active scans 


eFind less 
stuff due to 
standardizat 
ion, shift left 


Runtime 
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Qualys Jenkins 
Plugin 


Available on the Jenkins Marketplace 
e Vulnerability Management 
Container Security 
Web Application Scanning 
API Security 


Secure the CI Pipeline 


& ns . 
š o 
pm) b iú > @ Jenkins — © E Repositories 
paie VULNERABILITY 
L 
| ANALYZER FALO 
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Jenkins Vulnerability Management 


| log out 


#4 alys Report for 10.113.197.71 
QUALYS VULNERABILITY ANALYZER RESULTS 
À Scan Build Status: FAILED Scan Name: test_pipeline_jenkins_build_4_2019-05-21-10-18-26 
Summary Scan Status: Finished @ Jen ” gr 


Vulnerabilities 


a Qualys 
Results Summary © 


- Show Only: Air a + r A ç 


Type T aiD Tue CVE ID Seventy CVSSv2 Base Score CVSSv3 Base Score Category Ma Type un 
Launch Date: “ 


Network: 
Total Duration: 0 
Scan Target: 10 


QIDs CVEs cvss 


Criteria Evaluation x Y x e e e 4 N \ jeral remote service e erna 


“Excluded QIDs: 
*Considered potential vulnerabilities. 


Jenkins WAS Plugin 


@ Jenkins 5 


ualys 
© Q y Scan 1D: 23011099 Scan Name: WASPluginFreestyle 2 jankin j 23 2019-02-14-17-14 


Scan Status:FINISHED (Scan Report to jalys Portal | 
Scan Reference: a 44 4 121 Target URL: hit ap 1544 
) 
Results Summary lt | Vulnarabilitias (43) 


5 (OS © © royo 


Available 
Go Tue URL = 
Unauthenticated? 
iyere app: eed 1 %3E D Z%3E es 
T 2232 2 EMBE 2 2 2 2 2 e 
EK 
/ 
iyere app e Eve 1 ir e 
: 2232 
r p 
, y 4 
\ T 
\ 
v were apps d e 
Were app 2 z e 
y p 232 
r p 


Jenkins Container Security Plugin 


® Jenkins 


Jenkins pipeline-project #78 Qualys Report For e8d112117588 


© Qualys BUILD REPORT - e8d112ff7588 
Bulld Summary 


Bulld Status: Falled Image ID: e8d112ff7588 
Vulnerabilities d L 
Tags: latest Size: 828 MB 


Installed Software 
Layers Build Summary 


The vulnerabilities count by severity for image id e8d1121f7588 exceeded one of the configured threshold value 
Configured : Severity 1 > 0; Severity 2 > 0; Severity 3 > 0; Severity 4 > 0; Severity 5 > 0 
Found : Severity 1:0, Severity 2: 1, Severity 3: 11, Severity 4: 2, Severity 5: 0 


Qualys Report For e8d112ff7588 ENABLE AUTO REFRESH 
Vulnerabilitie: 


: INSTALLED SOFTWARE 


Show 10 entries Search: QID=176259| 


Sev5 Sev4 Sev 


© Contirmed vulnerabiliti 


Comparing with build 4 Name Installed Version Fixed In Version 
libmagickwand-dev 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
Potential Vulner: 
libmagickwand-6-headers À 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
libmagickcore-dev Ay 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
libmagickcore-6-headers À 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 
imagemagick-6.q16 À 8:6.9.7.4+dfsg-11+deb9u3 8:6.9.7.4+dfsg-11+deb9u4 


Qualys GitHub 


Automation scripts 
Reporting scripts 


Open Source 
community 


https://github.com/Qualys 


© Qualys. 


QUALYS SECURITY CONFERENCE 2020 


Thank you 
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